In my case I have the domains, for example from webex, which I get from their official support page. It seems that I am doing something wrong or I am not understanding well.
I base on this documentation https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass
The error I get is 407. I understand I should not request authentication to those domains with the configuration I have, but apparently it does.
Below I have a bandwidth control configuration with acl note, I don't know if that will be triggering the webex client authentication request.
Maybe someone with more experience can tell me.
Thank you very much.
Gabriel
El sáb., 26 de sep. de 2020 a la(s) 13:12, Ajb B (ajb23@xxxxxxxxx) escribió:
I looked this up an it looks like the reason Google does not work with Kerberos authentication (I think) is that Google makes requests to other domains:(Please look at the second comment of the first answer.)The solution would be to create an ACL to allow the Google and Cisco domains, but I don't think it will work because they make requests to other domains. It would be something like:acl allowed_domains dstdomain google.comhttp_access allow allowed_domainsPlease note you would have to place it before your ACL in your lines where you have:http_access allow authenticatedhttp_access deny allI don't really have a solution except to look at your access.log file (in /var/log/squid), see the other domains Google is making a request to, and then add to your ACLs also.Thanks,AdrianOn Friday, September 25, 2020, 5:28:36 PM CDT, Service MV <service.mv@xxxxxxxxx> wrote:_______________________________________________Hello everyone, I am trying to deal unsuccessfully with proxy authentication bypass.
Even looking at the documentation I can't get it right. The point is that certain programs such as being a cisco webex client or the google earth pro client do not know how to speak well with SQUID's kerberos authentication, so I want them not to authenticate for the domains they use.
For everything else I have no problems in the authentication.
I attach the logs I get and my configuration to see if they can help me.
Thank you very much in advance.Best regardsGabrielsquid.confvisible_hostname s-px4.mydomain.com
#http_port 3128 require-proxy-header
http_port 3128
error_directory /opt/squid-503/share/errors/es-ar
forwarded_for transparent
shutdown_lifetime 0 seconds
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
read_timeout 5 minutes
request_timeout 3 minutes
cache_mem 1024 MB
maximum_object_size_in_memory 4 MB
memory_cache_mode always
ipcache_size 2048
fqdncache_size 4096
#cache_mgr
httpd_suppress_version_string on
coredump_dir /opt/squid-503/var/cache/squid
auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth -i -r -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on
auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b "dc=mydomain,dc=com" -D "cn=ldap,cn=Users,dc=mydomain,dc=com" -W /opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h s-dc00.mydomain.com
auth_param basic children 30
auth_param basic realm Proxy Authentication
auth_param basic credentialsttl 4 hour
#acl vip_haproxy src 10.10.8.92
#proxy_protocol_access allow vip_haproxy
external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D NUEVENET.MEDIOS
acl NO_INTERNET external NO_INTERNET_USERSacl SSL_ports port 443
acl SSL_ports port 8543 # LiveU Central
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 81 # coto "yo te conozco" donkey ports
acl Safe_ports port 623 # coto "yo te conozco" donkey ports
acl Safe_ports port 8543 # LiveU Central management
acl Safe_ports port 18255 # LiveU Central files download
acl Safe_ports port 33080 # ddjj
acl Safe_ports port 9090 # asociart
acl Safe_ports port 8713 # handball results
acl Safe_ports port 8080 # cponline.org.ar
# Lists of domains and IPs
acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt"
acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt"
acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt"
acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt"
acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt"
acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt"
acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt"
# Access lists
acl http proto http
acl port_80 port 80
acl port_443 port 443
acl port_9000 port 9000
acl port_5061 port 5061
acl port_5065 port 5065
acl CONNECT method CONNECT
#acl authenticated proxy_auth REQUIRED# Denied internet to member users of INTERNET_OFF group
http_access deny NO_INTERNET all
# Allow webex without authentication
http_access allow http port_80 LS_webex
http_access allow CONNECT port_443 LS_webex
http_access allow port_9000 LS_webex
http_access allow port_5061 LS_webex
http_access allow port_5065 LS_webex
http_access deny LS_blackdomains
http_access deny LS_porn
http_access deny DOM_Malware
http_access deny IP_Malware
# default SQUID rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localhost
# Apply 20Mbit/s QoS to members of Active Directory Authenticated Users group
acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA==
delay_pools 1
delay_class 1 1
delay_parameters 1 2500000/2500000
delay_access 1 allow Domain_Users
# Allow authenticated users to use internet and deny to all others
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny allcat /opt/squid-503/acl/webex.txt.ciscospark.com
.webex.com
.quovadisglobal.com
.digicert.com
.accompany.com
.walkme.com
.cisco.comaccess.log1601071522.675 0 10.10.9.250 TCP_DENIED/407 4106 CONNECT join-test.webex.com:443 - HIER_NONE/- text/html
1601071522.684 0 10.10.9.250 TCP_DENIED/407 4029 CONNECT msj1mcccl01.webex.com:443 - HIER_NONE/- text/html
1601071524.717 0 10.10.9.250 TCP_DENIED/407 4086 CONNECT tsa3.webex.com:443 - HIER_NONE/- text/html
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
